Text authentication is even worse than almost anyone thought

Everyone has been lecturing IT about how horrible the security is from texting numbers for authentication for years, including me. Now, due to some excellent reporting from Vice, it’s clear that the text situation is far worse than almost anyone thought. It’s not merely texting that has inherent cybersecurity flaws, but the entire telecom space surrounding the text infrastructure is absolutely abysmal.

The demonstrated white hat attack intercepted and rerouted all of the victim’s text messages, but it wasn’t a technical takeover. The white hat (who had been asked by the Vice reporter to try and steal his text messages) simply paid a small fee ($16) to a legitimate SMS marketing and mass messaging firm called Sakari. The whitehat had to lie about having the user’s permission, but no meaningful proof was sought.

“Once the (attacker) is able to reroute a target’s text messages, it can then be trivial to hack into other accounts associated with that phone number,” the Vice story said. “In this case, the (attacker) sent login requests to Bumble, WhatsApp, and Postmates, and easily accessed the accounts.”

From an IT security perspective, this story gets far more frightening as it delves into how messed up the entire telecom universe is when it comes to protecting text communications. That is yet another reason why texting can’t be trusted for authentication or, for that matter, for almost anything.

Consider this from the story: “In Sakari’s case, it receives the capability to control the rerouting of text messages from another firm called Bandwidth, according to a copy of Sakari’s LOA (Letter of Authorization) obtained by Motherboard. Bandwidth told Motherboard that it helps manage number assignment and traffic routing through its relationship with another company called NetNumber. NetNumber owns and operates the proprietary, centralized database that the industry uses for text message routing, the Override Service Registry (OSR), Bandwidth said.”

For years, the key argument against relying on text message confirmations is that they are susceptible to man-in-the-middle attacks, which is still true. But this peek into the authorized infrastructure for text messages means that text takeovers can happen far more simply.

There are plenty of easily accessed apps that make text-like authentication far more secure, including Google Authenticator, Symantec’s VIP Access, Adobe Authenticator, and Signal. Why risk unencrypted, easily stolen texts for account access or anything else?

For the moment, let’s set aside how relatively easy and low-cost it is to move to a more secure version of text confirmations. Let’s also, for the moment, set aside the compliance and operational risks your team is taking by letting the enterprise grant account access vis unencrypted texts.

How about solely looking at the risk and compliance implications of offering third-party access via unencrypted text authentications? Remember this from the Vice piece: “The (attacker) sent login requests to Bumble, WhatsApp, and Postmates, and easily accessed the accounts.”

Once a bad guy takes control of a customer’s texts, a vast domino effect kicks in, where lots of businesses can be improperly accessed. What if some lawyer for one of those other companies sees your enterprise as a deep pocket and argues something like “If (your enterprise) hadn’t set off an insecure chain reaction by insisting on using unencrypted texts as authorization, my client wouldn’t have felt comfortable doing the same. Therefore, (your enterprise) should cover our losses.” Sound absurd? Perhaps, but before your people would let such an argument go to trial, they’ll settle by handing over a good chunk of your IT budget increase request for next year.

Then there is the blowback (financial, brand perception, nasty comments on social media, reduction in new customers, etc.) from your installed base and prospects, plus the possibility of litigation from them as well.

And compliance? There are two typical arguments when trying to defend such reckless behavior to regulators. One: “This was typical industry practice. I can produce evidence that 80% of our competitors did it as well.” Two: “At the time, we had no reason to believe that security of non-encrypted texts was that bad.”

As for argument one (typical industry practice), that defense is going to start to melt away quickly. It will work fine to defend this horrific practice for 2020 activity, but companies are going to start pulling away by this summer.

As for argument two (who knew?), this Vice story and the reaction to it are going to obliterate that defense as well.

Don’t let your enterprise be the last in its sector to ditch unencrypted texting for authentication. Those are the companies that end up paying the highest price.